The present invention relates to detecting and protecting computers from threats that can be spread over a computer network and more specifically to the use of remote expert systems in threat protection.
Networks such as the Internet can enable rapid communication of information between computers. Unfortunately, the capability of computers to communicate is often used to victimize computer systems and/or their users. A variety of known threats exist that are spread using networks. One example of a threat is a computer virus. Computer viruses are programs that typically seek to reproduce themselves and can also modify and/or damage the lost computer system. Another threat to a computer user is Phishing. Phishing schemes (also known as carding and spoofing) typically seek to fraudulently acquire sensitive information, such as passwords and/or credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email, a web page or an instant message. Another type of threat is Spam. Spamming is the sending of unsolicited email messages in bulk. Spam usually does not represent a significant risk to a computer, however, large volumes of Spam can congest networks, result in increased email server costs and reduce the efficiency of computer operators. Spyware is another type of threat. Spyware is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party. Examples of Spyware include software designed to deliver unsolicited pop-up advertisements (often referred to as “adware”), software that steals personal information (often referred to as “stealware”). Spyware as a class of threat is very broad and is difficult to characterize. Although not always the case, Spyware typically does not seek to reproduce and in this regard are often distinct from viruses. Another type of threat is hijacking. There are generally considered to be two classes of hijacking. Client hijacking is a term used to describe a threat involving a piece of software installed on a user's computer to hijack a particular application such as a search. Examples of client hijacking include redirecting a user from a know website to another website or appending affiliate information to a web search to generate revenue for the hijacker. A second class of hijacking is referred to as server hijacking. Server hijacking involves software that hijacks a server and usually involves hijacking a web site. The server hijacking may involve a simple redirection or could be the redirection of results generated by a search engine. Yet another type of threat is automated hacking. Automated hacking typically involves a computer program that is installed on the computer. Once the program is installed the program will attempt to steal confidential information such as credit card numbers and passwords.
Computers can run software that is designed to detect threats and prevent them from causing harm to a computer or its operator. Often, threat signatures are used to identify threats. A threat signature is a characteristic of a threat that is unique and, therefore, distinguishes the threat from other potentially benign files or computer programs. A limitation of systems that use threat signatures to detect threats is that these systems do not, typically, possess a threat signature for a previously unknown threat. The lack of a threat signature can be overcome by attempting to identify a new threat as soon as it manifests itself. Once the threat is identified, a threat signature can be generated for the threat and the new threat signature distributed to all of the computers in the threat detection system. In the case of mass spreading threats (i.e. threats designed to spread to a large number of computers very rapidly), the number of computers that fall prey to the threat is typically dependent upon the time between the threat first manifesting itself and the distribution of a threat signature.